I'm getting data to it, that I neither expect nor want to get, and I'm trying to pin-point the source of this data. So how can I find which process that sends data to a specific port, as opposed to which process is listening.

4 Answers
4

For TCP (though the same approach would work for SCTP or any connection-oriented transport protocol), same as for looking for listening one

lsof -nPi tcp:the-port

Will report the processes that have a TCP socket open on that port. If you know the source port (your server application can know about it and log it), you can use that instead to pinpoint the rogue client.

For UDP or RAW sockets, it would be trickier though I suppose it's where something like systemtap or dtrace can come handy. Possibly auditd as well.

Depending on the type of connection it establishes to send data one of these approaches will get you somewhere.

Use tcpdump port 1234 to acquire the data being sent to this port. You can use a program like Wireshark to analyze it on another machine (captured to a file using the -w option). Alternatively, use Wireshark directly.

In case it establishes and keeps open a tcp/udp connection you could use netstat to find the remote IP of the connection.

List open sockets of a process as in the answer provided by @StephaneChazelas.